revert: initial implementation of rds billing (#1510)

* Revert "feat: add subscription items endpoint and call it when provisioning rds (#1478)"

This reverts commit 657815d.

* Revert "fix(provisioner): only delete new rds on failed subscription update (#1488)"

This reverts commit f81b5ef.

* fix: clippy

.circleci/config.yml

@@ -420,9 +420,6 @@ jobs:
       stripe-secret-key:
         description: "Stripe secret key used to connect a client to Stripe backend"
         type: string
-      stripe-rds-price-id:
-        description: "Stripe price id of Shuttle AWS RDS product."
-        type: string
       jwt-signing-private-key:
         description: "Auth private key used for JWT signing"
         type: string
@@ -463,7 +460,6 @@ jobs:
             DEPLOYS_API_KEY=${<< parameters.deploys-api-key >>} \
             LOGGER_POSTGRES_URI=${<< parameters.logger-postgres-uri >>} \
             STRIPE_SECRET_KEY=${<< parameters.stripe-secret-key >>} \
-            STRIPE_RDS_PRICE_ID=${<< parameters.stripe-rds-price-id >>} \
             AUTH_JWTSIGNING_PRIVATE_KEY=${<< parameters.jwt-signing-private-key >>} \
             CONTROL_DB_POSTGRES_URI=${<< parameters.control-db-postgres-uri >>} \
             GATEWAY_ADMIN_KEY=${<< parameters.gateway-admin-key >>} \
@@ -860,7 +856,6 @@ workflows:
           deploys-api-key: DEV_DEPLOYS_API_KEY
           logger-postgres-uri: DEV_LOGGER_POSTGRES_URI
           stripe-secret-key: DEV_STRIPE_SECRET_KEY
-          stripe-rds-price-id: DEV_STRIPE_RDS_PRICE_ID
           jwt-signing-private-key: DEV_AUTH_JWTSIGNING_PRIVATE_KEY
           control-db-postgres-uri: DEV_CONTROL_DB_POSTGRES_URI
           gateway-admin-key: DEV_GATEWAY_ADMIN_KEY
@@ -943,7 +938,6 @@ workflows:
           deploys-api-key: PROD_DEPLOYS_API_KEY
           logger-postgres-uri: PROD_LOGGER_POSTGRES_URI
           stripe-secret-key: PROD_STRIPE_SECRET_KEY
-          stripe-rds-price-id: PROD_STRIPE_RDS_PRICE_ID
           jwt-signing-private-key: PROD_AUTH_JWTSIGNING_PRIVATE_KEY
           control-db-postgres-uri: PROD_CONTROL_DB_POSTGRES_URI
           gateway-admin-key: PROD_GATEWAY_ADMIN_KEY

Makefile

@@ -47,7 +47,6 @@ MONGO_INITDB_ROOT_USERNAME?=mongodb
 MONGO_INITDB_ROOT_PASSWORD?=password
 STRIPE_SECRET_KEY?=""
 AUTH_JWTSIGNING_PRIVATE_KEY?=""
-STRIPE_RDS_PRICE_ID?=""
 
 DD_ENV=$(SHUTTLE_ENV)
 ifeq ($(SHUTTLE_ENV),production)
@@ -138,7 +137,6 @@ DOCKER_COMPOSE_ENV=\
 	MONGO_INITDB_ROOT_USERNAME=$(MONGO_INITDB_ROOT_USERNAME)\
 	MONGO_INITDB_ROOT_PASSWORD=$(MONGO_INITDB_ROOT_PASSWORD)\
 	STRIPE_SECRET_KEY=$(STRIPE_SECRET_KEY)\
-	STRIPE_RDS_PRICE_ID=$(STRIPE_RDS_PRICE_ID)\
 	AUTH_JWTSIGNING_PRIVATE_KEY=$(AUTH_JWTSIGNING_PRIVATE_KEY)\
 	GATEWAY_ADMIN_KEY=$(GATEWAY_ADMIN_KEY)\
 	DD_ENV=$(DD_ENV)\

auth/Cargo.toml

@@ -26,7 +26,6 @@ pem = "2"
 rand = { workspace = true }
 ring = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
 sqlx = { workspace = true, features = ["postgres", "json", "migrate"] }
 strum = { workspace = true }
 thiserror = { workspace = true }
@@ -44,4 +43,3 @@ portpicker = { workspace = true }
 serde_json = { workspace = true }
 shuttle-common-tests = { workspace = true }
 tower = { workspace = true, features = ["util"] }
-wiremock = "0.5"

auth/README

@@ -0,0 +1,13 @@
+# Auth service considerations
+
+## JWT signing private key
+
+Starting the service locally requires provisioning of a base64 encoded PEM encoded PKCS#8 v1 unencrypted private key.
+The service was tested with keys generated as follows:
+
+```bash
+openssl genpkey -algorithm ED25519 -out auth_jwtsigning_private_key.pem
+base64 < auth_jwtsigning_private_key.pem
+```
+
+Used `OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)` and `FreeBSD base64`, on a `macOS Sonoma 14.1.1`.

auth/src/api/builder.rs

@@ -2,19 +2,14 @@ use std::{net::SocketAddr, sync::Arc};
 
 use axum::{
     extract::FromRef,
-    handler::Handler,
     middleware::from_extractor,
     routing::{get, post, put},
     Router, Server,
 };
 use axum_sessions::{async_session::MemoryStore, SessionLayer};
 use rand::RngCore;
 use shuttle_common::{
-    backends::{
-        auth::{JwtAuthenticationLayer, ScopedLayer},
-        metrics::{Metrics, TraceLayer},
-    },
-    claims::Scope,
+    backends::metrics::{Metrics, TraceLayer},
     request_span,
 };
 use sqlx::PgPool;
@@ -27,8 +22,8 @@ use crate::{
 };
 
 use super::handlers::{
-    add_subscription_items, convert_cookie, convert_key, get_public_key, get_user, health_check,
-    logout, post_user, put_user_reset_key, refresh_token, update_user_tier,
+    convert_cookie, convert_key, get_public_key, get_user, health_check, logout, post_user,
+    put_user_reset_key, refresh_token, update_user_tier,
 };
 
 pub type UserManagerState = Arc<Box<dyn UserManagement>>;
@@ -38,7 +33,6 @@ pub type KeyManagerState = Arc<Box<dyn KeyManager>>;
 pub struct RouterState {
     pub user_manager: UserManagerState,
     pub key_manager: KeyManagerState,
-    pub rds_price_id: String,
 }
 
 // Allow getting a user management state directly
@@ -60,16 +54,17 @@ pub struct ApiBuilder {
     pool: Option<PgPool>,
     session_layer: Option<SessionLayer<MemoryStore>>,
     stripe_client: Option<stripe::Client>,
-    rds_price_id: Option<String>,
-    key_manager: EdDsaManager,
+    jwt_signing_private_key: Option<String>,
 }
 
-impl ApiBuilder {
-    pub fn new(jwt_signing_private_key: String) -> Self {
-        let key_manager = EdDsaManager::new(jwt_signing_private_key);
-
-        let public_key = key_manager.public_key().to_vec();
+impl Default for ApiBuilder {
+    fn default() -> Self {
+        Self::new()
+    }
+}
 
+impl ApiBuilder {
+    pub fn new() -> Self {
         let router = Router::new()
             .route("/", get(health_check))
             .route("/logout", post(logout))
@@ -78,17 +73,6 @@ impl ApiBuilder {
             .route("/auth/refresh", post(refresh_token))
             .route("/public-key", get(get_public_key))
             .route("/users/:account_name", get(get_user))
-            .route(
-                "/users/subscription/items",
-                post(
-                    add_subscription_items
-                        .layer(ScopedLayer::new(vec![Scope::ResourcesWrite]))
-                        .layer(JwtAuthenticationLayer::new(move || {
-                            let public_key = public_key.clone();
-                            async move { public_key.clone() }
-                        })),
-                ),
-            )
             .route(
                 "/users/:account_name/:account_tier",
                 post(post_user).put(update_user_tier),
@@ -112,8 +96,7 @@ impl ApiBuilder {
             pool: None,
             session_layer: None,
             stripe_client: None,
-            rds_price_id: None,
-            key_manager,
+            jwt_signing_private_key: None,
         }
     }
 
@@ -141,26 +124,27 @@ impl ApiBuilder {
         self
     }
 
-    pub fn with_rds_price_id(mut self, price_id: String) -> Self {
-        self.rds_price_id = Some(price_id);
+    pub fn with_jwt_signing_private_key(mut self, private_key: String) -> Self {
+        self.jwt_signing_private_key = Some(private_key);
         self
     }
 
     pub fn into_router(self) -> Router {
         let pool = self.pool.expect("an sqlite pool is required");
         let session_layer = self.session_layer.expect("a session layer is required");
         let stripe_client = self.stripe_client.expect("a stripe client is required");
-        let rds_price_id = self.rds_price_id.expect("rds price id is required");
-
+        let jwt_signing_private_key = self
+            .jwt_signing_private_key
+            .expect("a jwt signing private key");
         let user_manager = UserManager {
             pool,
             stripe_client,
         };
+        let key_manager = EdDsaManager::new(jwt_signing_private_key);
 
         let state = RouterState {
             user_manager: Arc::new(Box::new(user_manager)),
-            key_manager: Arc::new(Box::new(self.key_manager)),
-            rds_price_id,
+            key_manager: Arc::new(Box::new(key_manager)),
         };
 
         self.router.layer(session_layer).with_state(state)